05008a8d82772828d6fe2eb07289ef9008cd3eb3d11f4169fb06ee5fe315bed6

Analysis

max time kernel
91s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05008a8d82772828d6fe2eb07289ef9008cd3eb3d11f4169fb06ee5fe315bed6N.exe
Size

87KB
MD5

3cda06dd3b62a928a17bc4a441d31b00
SHA1

a14c9f0dcddceb102ef879571a936f1a960af169
SHA256

05008a8d82772828d6fe2eb07289ef9008cd3eb3d11f4169fb06ee5fe315bed6
SHA512

1912eee949ce8127f9bcf8df7848f0f849a8998465a09f87be79b33ed1a084b93145541a0ec1208bff2ff6337673753052c7fe7bd4ae916da8bdb365524506ef
SSDEEP

1536:4fFPD8D1aYWmQxLFi4ZrstIm8pZ6VlyA3w9kCuRQ4MRSRBDNrR0RVe7R6R8RPD2d:+crGLFZItIUry39kvepAnDlmbGcGFDex

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	05008a8d82772828d6fe2eb07289ef9008cd3eb3d11f4169fb06ee5fe315bed6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	05008a8d82772828d6fe2eb07289ef9008cd3eb3d11f4169fb06ee5fe315bed6N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cffdpghg.exe

Executes dropped EXE 45 IoCs

pid	Process
4700	Bfkedibe.exe
3680	Bmemac32.exe
1620	Belebq32.exe
5008	Bcoenmao.exe
4716	Cfmajipb.exe
2964	Cenahpha.exe
2676	Chmndlge.exe
3812	Cjkjpgfi.exe
3396	Cnffqf32.exe
4476	Caebma32.exe
2980	Cnicfe32.exe
3500	Cagobalc.exe
1772	Chagok32.exe
4040	Cjpckf32.exe
2248	Cdhhdlid.exe
3788	Cffdpghg.exe
1492	Cmqmma32.exe
2052	Cegdnopg.exe
3172	Ddjejl32.exe
2932	Danecp32.exe
4984	Ddmaok32.exe
1172	Dfknkg32.exe
2468	Djgjlelk.exe
4468	Daqbip32.exe
2704	Delnin32.exe
1668	Ddonekbl.exe
1656	Dhkjej32.exe
4396	Dfnjafap.exe
3856	Dkifae32.exe
4764	Dmgbnq32.exe
1664	Daconoae.exe
4824	Deokon32.exe
3808	Ddakjkqi.exe
800	Dhmgki32.exe
1788	Dfpgffpm.exe
4892	Dkkcge32.exe
4936	Dogogcpo.exe
2636	Dmjocp32.exe
1952	Daekdooc.exe
1636	Deagdn32.exe
4440	Dhocqigp.exe
540	Dgbdlf32.exe
3112	Dknpmdfc.exe
2588	Doilmc32.exe
1204	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	05008a8d82772828d6fe2eb07289ef9008cd3eb3d11f4169fb06ee5fe315bed6N.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	05008a8d82772828d6fe2eb07289ef9008cd3eb3d11f4169fb06ee5fe315bed6N.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	05008a8d82772828d6fe2eb07289ef9008cd3eb3d11f4169fb06ee5fe315bed6N.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe

Program crash 1 IoCs

pid	pid_target	Process
4508	1204	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05008a8d82772828d6fe2eb07289ef9008cd3eb3d11f4169fb06ee5fe315bed6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	05008a8d82772828d6fe2eb07289ef9008cd3eb3d11f4169fb06ee5fe315bed6N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	05008a8d82772828d6fe2eb07289ef9008cd3eb3d11f4169fb06ee5fe315bed6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	05008a8d82772828d6fe2eb07289ef9008cd3eb3d11f4169fb06ee5fe315bed6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	05008a8d82772828d6fe2eb07289ef9008cd3eb3d11f4169fb06ee5fe315bed6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 4700	3016	05008a8d82772828d6fe2eb07289ef9008cd3eb3d11f4169fb06ee5fe315bed6N.exe	83
PID 3016 wrote to memory of 4700	3016	05008a8d82772828d6fe2eb07289ef9008cd3eb3d11f4169fb06ee5fe315bed6N.exe	83
PID 3016 wrote to memory of 4700	3016	05008a8d82772828d6fe2eb07289ef9008cd3eb3d11f4169fb06ee5fe315bed6N.exe	83
PID 4700 wrote to memory of 3680	4700	Bfkedibe.exe	84
PID 4700 wrote to memory of 3680	4700	Bfkedibe.exe	84
PID 4700 wrote to memory of 3680	4700	Bfkedibe.exe	84
PID 3680 wrote to memory of 1620	3680	Bmemac32.exe	85
PID 3680 wrote to memory of 1620	3680	Bmemac32.exe	85
PID 3680 wrote to memory of 1620	3680	Bmemac32.exe	85
PID 1620 wrote to memory of 5008	1620	Belebq32.exe	86
PID 1620 wrote to memory of 5008	1620	Belebq32.exe	86
PID 1620 wrote to memory of 5008	1620	Belebq32.exe	86
PID 5008 wrote to memory of 4716	5008	Bcoenmao.exe	87
PID 5008 wrote to memory of 4716	5008	Bcoenmao.exe	87
PID 5008 wrote to memory of 4716	5008	Bcoenmao.exe	87
PID 4716 wrote to memory of 2964	4716	Cfmajipb.exe	88
PID 4716 wrote to memory of 2964	4716	Cfmajipb.exe	88
PID 4716 wrote to memory of 2964	4716	Cfmajipb.exe	88
PID 2964 wrote to memory of 2676	2964	Cenahpha.exe	89
PID 2964 wrote to memory of 2676	2964	Cenahpha.exe	89
PID 2964 wrote to memory of 2676	2964	Cenahpha.exe	89
PID 2676 wrote to memory of 3812	2676	Chmndlge.exe	90
PID 2676 wrote to memory of 3812	2676	Chmndlge.exe	90
PID 2676 wrote to memory of 3812	2676	Chmndlge.exe	90
PID 3812 wrote to memory of 3396	3812	Cjkjpgfi.exe	91
PID 3812 wrote to memory of 3396	3812	Cjkjpgfi.exe	91
PID 3812 wrote to memory of 3396	3812	Cjkjpgfi.exe	91
PID 3396 wrote to memory of 4476	3396	Cnffqf32.exe	93
PID 3396 wrote to memory of 4476	3396	Cnffqf32.exe	93
PID 3396 wrote to memory of 4476	3396	Cnffqf32.exe	93
PID 4476 wrote to memory of 2980	4476	Caebma32.exe	94
PID 4476 wrote to memory of 2980	4476	Caebma32.exe	94
PID 4476 wrote to memory of 2980	4476	Caebma32.exe	94
PID 2980 wrote to memory of 3500	2980	Cnicfe32.exe	95
PID 2980 wrote to memory of 3500	2980	Cnicfe32.exe	95
PID 2980 wrote to memory of 3500	2980	Cnicfe32.exe	95
PID 3500 wrote to memory of 1772	3500	Cagobalc.exe	97
PID 3500 wrote to memory of 1772	3500	Cagobalc.exe	97
PID 3500 wrote to memory of 1772	3500	Cagobalc.exe	97
PID 1772 wrote to memory of 4040	1772	Chagok32.exe	98
PID 1772 wrote to memory of 4040	1772	Chagok32.exe	98
PID 1772 wrote to memory of 4040	1772	Chagok32.exe	98
PID 4040 wrote to memory of 2248	4040	Cjpckf32.exe	100
PID 4040 wrote to memory of 2248	4040	Cjpckf32.exe	100
PID 4040 wrote to memory of 2248	4040	Cjpckf32.exe	100
PID 2248 wrote to memory of 3788	2248	Cdhhdlid.exe	101
PID 2248 wrote to memory of 3788	2248	Cdhhdlid.exe	101
PID 2248 wrote to memory of 3788	2248	Cdhhdlid.exe	101
PID 3788 wrote to memory of 1492	3788	Cffdpghg.exe	102
PID 3788 wrote to memory of 1492	3788	Cffdpghg.exe	102
PID 3788 wrote to memory of 1492	3788	Cffdpghg.exe	102
PID 1492 wrote to memory of 2052	1492	Cmqmma32.exe	103
PID 1492 wrote to memory of 2052	1492	Cmqmma32.exe	103
PID 1492 wrote to memory of 2052	1492	Cmqmma32.exe	103
PID 2052 wrote to memory of 3172	2052	Cegdnopg.exe	104
PID 2052 wrote to memory of 3172	2052	Cegdnopg.exe	104
PID 2052 wrote to memory of 3172	2052	Cegdnopg.exe	104
PID 3172 wrote to memory of 2932	3172	Ddjejl32.exe	105
PID 3172 wrote to memory of 2932	3172	Ddjejl32.exe	105
PID 3172 wrote to memory of 2932	3172	Ddjejl32.exe	105
PID 2932 wrote to memory of 4984	2932	Danecp32.exe	106
PID 2932 wrote to memory of 4984	2932	Danecp32.exe	106
PID 2932 wrote to memory of 4984	2932	Danecp32.exe	106
PID 4984 wrote to memory of 1172	4984	Ddmaok32.exe	107

C:\Users\Admin\AppData\Local\Temp\05008a8d82772828d6fe2eb07289ef9008cd3eb3d11f4169fb06ee5fe315bed6N.exe
"C:\Users\Admin\AppData\Local\Temp\05008a8d82772828d6fe2eb07289ef9008cd3eb3d11f4169fb06ee5fe315bed6N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\SysWOW64\Bfkedibe.exe
  C:\Windows\system32\Bfkedibe.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\SysWOW64\Bmemac32.exe
    C:\Windows\system32\Bmemac32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3680
  - - C:\Windows\SysWOW64\Belebq32.exe
      C:\Windows\system32\Belebq32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
      - C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 408
        47⤵
        Program crash
        
        PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1204 -ip 1204
1⤵
PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
87KB

MD5
8dd31feb8d077f66e638212ec10d4831

SHA1
eaaa35a6434f814d6ad9700d2efaf500515a519e

SHA256
5b7183f56e3ab7c9ec02cf337a3c63f198d46f42f54525b5d3e292d580603460

SHA512
78b11955804984d72642c5ab48e9d72145c3cd8fdbfe4b55b0b4a62695bcd9f2cd4bd5ba758756e9bf1ae36bc8af3e1030a644d1f36f9820bfb3781fc0e0c31c

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
87KB

MD5
1cc7f6e72b3ef168dde56c5900c4781b

SHA1
0804b7e2931f8b7aa555b3f7461be86d5253d712

SHA256
833181197e809b0ee7ff4a6eb2529409450c5bdec413613fd0875fa116024bda

SHA512
858945bca9a976be34b40a4175691917a5fe22385034560750f41d18a0db75f1c5130cb6779e4940faad630241d4a1dd482370c343081f0097dedf2461a53207

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
87KB

MD5
56ccb3e32b9f5fa1e63c8adf6a693ed3

SHA1
9aad99ed0783e5bafd58b3174d26e39db18735a4

SHA256
081042273cc4aeaf3f8870a9b46f08485812eb956dd5f9455c5f8f60f6d2bd15

SHA512
bec6b0b002fb00bc69bfacff983d39d490578ff3184e5705e3e247914b0e17e57de6034b689ba9325bb45a7a981e30d10d00465963c6d0f6ab162bc9d034db89

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
87KB

MD5
7e343067b801caea4c585f5d7f7dff2f

SHA1
21a77fafc59579369bf1d83b43e8830680b7b525

SHA256
cdc16924c10defad02c3bb4af0bdbef348971a00786a1a266d095dd51c54f4dc

SHA512
a765e39ee93186de8b8d08ba97574ee0a70af5e641e946cad8ecb97817755c2856847e700b6f99cb142984b31a3d047aab30a068c48c84d9dc2d828e26daa885

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
87KB

MD5
4d4d7016f1ff924072d8d0392189a830

SHA1
a0e1243d48afe18d4c5bd77aa9b2cba5ec68c018

SHA256
5fef1dfe248b30a063dc640f5e3a7ed77d61efa11447278cdab82379dcb63342

SHA512
63865ef6305fff918d2ef96743a04ba641c94db1c49317e32800b582159261c2d488dcfc23b7990ae3cdc49fe330e335518310edaad09cde012b7e26853d7426

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
87KB

MD5
6a85fe7eee4fc34a2095a41b7d18dd94

SHA1
11be6457c820d1a5f741499dbbf0ca55c055b021

SHA256
126a1ec1612013454c651bca029eb378ddcdef53da4afafddc8eb2729b03bb06

SHA512
73b01651e67f88f8b75056f257a9cac9982d10af3cbf396d6a9d8fe490317b41548a447ef7d2c1bd46dc772307c41f9a1a1bb16d8054517032de81c8e274866c

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
87KB

MD5
cee4b6066706e4c3a22635465feeab6c

SHA1
87e30725f66635e3edb526fd447c0932824ca879

SHA256
b20de6aedef2ea8a03b7d5a98b3c76a5161c3ca6233a4365b740a5c71893c8ad

SHA512
d83638e6bc286b99ee1b05b276f651e09ee9791cbce95a447f14a2b20922846cb3d7ceca56d1e303d15d814410eb7aadf3264a9c0071798821c1c72e26c467f9

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
87KB

MD5
1d4cc66ef24a4b244f6dbb16df33a338

SHA1
9f09ab713f5dc1af55f36a7b818ff5a0b18f74be

SHA256
6596faca770dccfea1bd066a6a78b7a9b7209f604cbea96a80b63f6d4f35b5c3

SHA512
f784649cc61da534e00484001c2b64999e248d9a144c491e68fb187a6bd7fbc2329dd344d68a6acd37ee730ab80b00135e0c46872abadedc34fdb99bf8935053

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
87KB

MD5
558af03fdcf6dd7abbc637aab3880f3a

SHA1
07faefe73e58f7d81f8bed3d988439d0f3a86125

SHA256
0babbe7506249056cb5d043d43ec2c3eec35a0a35f1ecf5037855ecca316bb8e

SHA512
b307f7dc1dd44b3538dae6b9a9aa876a5851cb69c682edfd533025151fe8c90e09f41a5c7d4aac1864b3143b9bb3753a413a838de9036dc360b118a195be6341

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
87KB

MD5
2c556ff602c516e28fa2fb94e840a04a

SHA1
a15ff0d3d3bad5fba0eacf1cfc2c8f57b9ee606f

SHA256
e48c1f60f9cf56217498c223d59ed18a4473b592d5d8aa0fbe281aff573e9e33

SHA512
d349c8d601b568136c074a4708dd1bdcc12b364c65fbeeba02f9a6249e15ee5d709e5b91c6a40ad7a428cfaedc649e07cde9ac82b36f0e7f53a00c4431f2dd2d

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
87KB

MD5
5ef3f10144cdfcd9339d5ac679c7193b

SHA1
0881bd0e93e2c84b16fb2fdd5563479918326a8a

SHA256
ddd28f0d1daf08270bac76ed5ac49297e39be2c773ceffafc534e50feca43b36

SHA512
f7de9bfab3e3f6577dcb39ca113db3078ae12359c877887ee8cacc5c62fa934382e462c506c611d66a7923b1c7b97778b7c7485473b3864292699c6153cb23fa

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
87KB

MD5
b52c115488fb74664acc32856dbb164c

SHA1
ba6b0540ffef2031e1d42f1af7bd37873ff5f651

SHA256
f4ee9c066a51ea20bce9318be8af705deb170eb71c6b4c99019285fe5947d9ca

SHA512
7f6792b39f7d8658c7a4a9f84a2a009972f5f0e3f55c597c5d29b8fd536855a0c0752d7d0953d77b35ffec2e0b9ebdb83561793fabd662808b03f59f586b1219

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
87KB

MD5
27da4b3b0fdb7bb75c53a37fc8516bc3

SHA1
a12fafac94504051cf16f3e16c8657dbc666e9b1

SHA256
cd9c473ab6960997e2b9c67291cc987f0e1c3d4799e61013b72717038464bca9

SHA512
b20a553ca60d6532c4533dcc7e32505bfd64ed8a852aa040e8384c121c1ad1bce70a4fda9bd3589991e15ee1f92cb19037a86f02286a207742e0c0119d0a367a

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
87KB

MD5
7b55bf03a31f13ea90acdb782c400cbc

SHA1
710183af2b7ef06d96453417dd03ac234dd0823a

SHA256
6b65a359b7a0cb3166b6d0f658b6d47df2e8d1cbb61997d4900372712df7a957

SHA512
f9e5779a3b137bfcc6b52030723466633f46e142de035bda58053b3099936de9082713f8e69b8c44abbe94bcce0cfc940a815aa0093fbc65f7ec7b9d8c7cbc6b

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
87KB

MD5
e29cb41051c8b42a9c6b6a512c611ec6

SHA1
9f5fef365540db7e829149fb09748d277d0bfe78

SHA256
69035aa1177b826a41938eb7047f9e0368c025f23ad0bfb1c7e43a2028d1d8ab

SHA512
25657644a714f5ce0c9368c2762e530a4816beed1288904f573eab943a390ab925664a3106759be7acedf9af021f3dbeb6a94bd082a91f01c9d38481d403e0d6

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
87KB

MD5
ac6279857cd76133ce1b3007021df72e

SHA1
84bd5be329458128564b4c2985cf3bc140e99185

SHA256
8a6c19c0064c8d6048ae8125d5c403c804d1dd7fb0df74c7afdef0ffb3b9872e

SHA512
a6618ed0767a59a72b6d8aeb30f9d6de83fedaca0fce8ef6e2b222f56960d76fa3cbba1b01fa25ae0759611a7f6a1d67ea299822862cedfd97fc4be3c9c31931

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
87KB

MD5
0139bc8a37cdbf54d814b1355241b3b4

SHA1
2c4454806dcf72a0c3111c2097a53cd40bbf5911

SHA256
47833cc2b7c67bbe81f8e702761109c5328cadd4c5a990ac2b7319e0d5bae535

SHA512
c2dd2534d3cba55c4e4a25aeb8f90338da4800852e68f0782fb7d7ef871b2d9b0c5dc061bb28b2ea6dd5a5fb73b3af579c9ae5c27217ae0c7a218dada61dd21c

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
87KB

MD5
82c6ad2c576611e70fd696658fb6e543

SHA1
d86851c85d820ec85cc81b86df0790a5d42419eb

SHA256
249cd0baa91ce9120c91728fece24ffe201e9492e1912bdca0f692a9fb86b014

SHA512
78d6697e12f7aa5dc723deeb8b4054429498870d5325d87a24c260fc17eb29645f603efcc8e11eaf2770f0f70030e8aaa47cdd71dd23515a7bef8a834e5e637d

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
87KB

MD5
500330565057a8e2d2946fe24c3eea8c

SHA1
4f6aaa62fceebc338aa3bbb9854646c9335bf4a5

SHA256
3240774db8d3f86b8f741937230655c5a633fe0ca75c4e6d1aef9dc15fa0b8ea

SHA512
b632fe27866da7c4514d80c7f88be2c17d8a5f92d6e87c39cc461a5fe7eadda4bdb5f5db6cf50ae2471a0246facb08f3ff7f12fed8b1820ed0a07390acfc63e9

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
87KB

MD5
ae29611c2657dd09b517a17eb9707cd0

SHA1
a6a6e5d9850075cc26858009192dae82d4f59c9d

SHA256
0e4ff7aef2c90c94d7c4a7e144aeedad6675392b515297738fec4407a7ce0341

SHA512
03d898fafe256e322f925f9f91f28ba93309d5b59d9490b30eda2f4cb1fe8210d52229105804271ce6d123e952eda84c863a422e713a00b4c6e9d460d9f8dc37

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
87KB

MD5
053e1e1361062ceb275f24873d43c565

SHA1
ad0d16caca6442993450af98a5a32e475d68cc27

SHA256
d52691debf3eb114021355b8136d83b89b546bb9ef6d5b26f16a0d8f6e78687c

SHA512
a5c545e241e90ceeef0bd54f2f423c295de780f85869246c660d001d5aaf64b9015d353b1897f956c8c28ead311cf707bc95f095d49052fa8347c903abdfbb15

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
87KB

MD5
6cc9c335ee12b44453d8793cd72f38a4

SHA1
8c59a781a9d8a78d086244a6cf34e09634d4dd1e

SHA256
31c6bfe8adbcf177f88b9b9bbf6d87930dfbefdea99de5ce0e2674096e0cfb71

SHA512
e0e579e76cfab7cc1b7c5b77e1f336ad734bbc42ef87cf396ba55c90bf71b69990a320b008823469ac970450d20511784272657a3b50dfef60410aab71fb9ef6

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
87KB

MD5
228da0e04fb3eab353fb1111d368c950

SHA1
9ac2f99141b838613b84a82bdf993b10b961b814

SHA256
e9a80d5847bba659d8d81e16bd750d07f92de24790de615d03ab8871afa160eb

SHA512
fc2fd1e0d5248027a69b26ba147ae88089e787dd89a79ec161e5d6d25b22fb834a822bdfdc753db5f1d672552721f8d3b6db3762168a2bfa8d6fa366e816e7c9

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
87KB

MD5
f869590c584e27e8ce999f3ee5e7fd92

SHA1
656e3552dcf734575299c83b187748184c056fac

SHA256
87a7e8bcff594a10a4606c2736288ffc9c6b0e9f0baf33c3482248885a6d3eab

SHA512
bfccf43be36d1109400289ad02c92c705d9917e988d1c1f2627cebad39cd8067a696a0d373387346a696bb02606ee28f390e1703fee21ee7e6fd06c26930f045

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
87KB

MD5
df2705944f318c4ce7f0b318e7094f03

SHA1
b60611ece39f95239c460890589bb4c622655b5b

SHA256
b68755b4e14c30d15ae9793f97f3a5f16f5a1d77dc2c72b698dd880e2090c5c1

SHA512
1fb81b44da7bbeec23629ad9017bfd77c6d2e727ae7d82681d966af509bef608eea9ec98ddb97967ad08a32ec9ccdd7ee98ab28858dab911e9af7f328cc1a48f

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
87KB

MD5
74190cad537641bfbb203368899f5480

SHA1
d6a97d5bab8517ecc8a300f0b508040571aaaac8

SHA256
0a1d90a24fc146585897f17edaf0ec0f031a5b35b9c39c6e2532fcda842be942

SHA512
1a2ec8ad3c257d0165b69ecdf276d22f90f5d335001e73980a6ca7baeb51a7003494f5b63b9b2a052af9748bf03f980408b9ab7fcb11466d99899149263bfe69

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
87KB

MD5
0e554943ad67a199ac630e07eb617a52

SHA1
370028937ce69c7e80ce34fb955cf234d5e16714

SHA256
2772658a60372e32733419bf9ef23c9d56abbd2f4190fee4a8aeeaa28e22b631

SHA512
21f4019d58b5c2b84ea0000a59cd66a9e3b44ce534b2535a956f849840edfd109cef19db7acd323f7073e7a7a49c71b0b8fbc8b2de6440f9cd19eb7f209874b7

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
87KB

MD5
0b54ff0de46e18f1f0ff252b74942bd8

SHA1
9d0b379ef47db7f2b845e99ad163821ac9c43d9b

SHA256
1a14d1d46d789afa3f2e953e4757b70bc49a56645a17c41f6ec44e6aed03e8f6

SHA512
bc5390703d6624ae5724e0924a1fdcf2e5e23f05114581cc8cf3cb9df15ccfd746f0e9c11741865df6193c061759d36ede2c232fff412f09baba0bdd51551e60

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
87KB

MD5
917910b7cb4af2bd996836757fc787d6

SHA1
e94b15b16fefdc448ac802daab60262132059c8d

SHA256
4edb7381a32d107c3b35b99db73492503fbeffe657307f1496317515ccb7e9b5

SHA512
3ad80f03ace862dc17c790a489d96fdbbe7ef23ee766d4c5d776440b7b1f73b98cc766e51a4c74b5f48cc22eac512d4a1ca3b78c16f7f6bc07f3bcbd99ccf956

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
87KB

MD5
287793c20c9b9f076c67a2b5e4cf8750

SHA1
66ec3d92527f2e32b277c2a2220cf32a327e864d

SHA256
5aa44e6ec80fe50ed7348cccf2f41b8bc78fb2649d94c6c8826056084c366af0

SHA512
d09fe77bd85f17a24c4837973fe62060b5b6c872176d4dcd94a29b2e11ee3509a2da49f83a92926a7a608ea0680136a57e0cd52a107e3779785484dab8b880aa

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
87KB

MD5
f6aac302e8015c2ea970be9c90b7bdb1

SHA1
95605fdacd49f39c6d9a315d21e478a5390533f2

SHA256
e2633e3ca1a8d4503026559dca5edb4ef5df4caf2eb228c89bb9c29e2abecfb8

SHA512
6ae670a08e7e9de9a46ac3d83d381a502d0e7401297526d4d294d436c917a0857dd62c6a1da32d7fc3c97c1075b8aadef8022124c6fa9d4f2edfd67898f62e11

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
87KB

MD5
d103c4116d92b6f8d8b4688312bf3369

SHA1
fcff1038979bcfd30d935cbf8e5f2c841ba6f0cc

SHA256
9b3d22c2b7baefee5328893baea9c4f99ab9ed333b0d25bcc07117fce5a5b22c

SHA512
a16f962f1c1d5451d10a82110a8b815e257ecbc0fdedf303d64aaac79f4e3b4401baaf833b953a4eeb42e9e4bd8d5de65336ff93df72f5ee2d9850cb2eccb598

Download Submit
C:\Windows\SysWOW64\Imbajm32.dll

Filesize
7KB

MD5
d46143bb490a9a62b0fbd46c19998387

SHA1
e621f6f0d95fb67c499f904e6f865ee60ee3f213

SHA256
3e03a286e039e14c7bfd6c1ab0b55851288fa24f7e479823a35338f06d8e3ab0

SHA512
231783cfbb7e118ba14f76ba08c2803f94c1196e6e0e5d62fac1037f1142ff000bdcf011836043e40a376b876a77d798a4ce5ab62fd52e87000f786e55ea6e94

Download Submit
memory/540-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/800-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1172-194-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1204-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1492-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1492-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1620-28-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1620-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1636-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1656-238-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1664-273-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1668-230-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1772-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1772-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1788-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1952-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2052-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2052-246-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2248-219-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2248-126-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2468-202-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2588-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2636-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2676-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2676-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2704-220-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2932-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2964-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2964-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2980-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2980-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3016-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3016-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3112-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3172-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3172-255-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3396-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3396-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3500-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3500-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3680-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3680-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3788-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3788-228-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3808-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3812-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3812-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3856-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4040-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4040-210-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4396-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4440-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4468-211-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4476-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4476-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4700-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4700-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4716-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4716-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4764-265-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4892-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4936-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4984-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5008-34-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5008-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads